# Scrapes Open Source Intelligence (OSI) data for sending via Syslog to SIEMs etc.
# Greg Martin - Alchemy Security (c) 2010
# gmartin@alchemysecurity.com
#
# Modified for Python 3.x by Mark Jacob, Arcsight Inc. mjacob@arcsight.com
#

import sys
import time
import re
import http
import socket
import urllib.request

# Gets the syslog receiver destination IP from cmdline.
if (len(sys.argv) > 1):
    dest = sys.argv[1]
else:
    print 'Usage: arcosi.py <connecter ip> \n'
    print 'ex. ./arcosi.py 127.0.0.1 \n'
    sys.exit()

print (" \n************\n** ArcOsi **\n************\n\nCEF Open Source Intelligence sender. Syslogging to IP: "+dest+" on UDP port 514 \n")

# define syslog standard facilities and levels

FACILITY = {
        'kern': 0, 'user': 1, 'mail': 2, 'daemon': 3,
        'auth': 4, 'syslog': 5, 'lpr': 6, 'news': 7,
        'uucp': 8, 'cron': 9, 'authpriv': 10, 'ftp': 11,
        'local0': 16, 'local1': 17, 'local2': 18, 'local3': 19,
        'local4': 20, 'local5': 21, 'local6': 22, 'local7': 23,
}

LEVEL = {
        'emerg': 0, 'alert':1, 'crit': 2, 'err': 3,
        'warning': 4, 'notice': 5, 'info': 6, 'debug': 7
}

# Open source inteligence sources (URLs explicitly listing known bad IP addresses)

SOURCE = [
		'http://www.mtc.sri.com/live_data/attackers/',
                'http://isc.sans.edu/reports.html',
                'https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist',
                'http://www.emergingthreats.net/rules/emerging-botcc.rules',
                'http://www.projecthoneypot.org/list_of_ips.php'
]

# Simple IP address scraper - NB Python 3.x needs urlopen bytes converted to string - MSJ

def scrape(url):
        f = urllib.request.urlopen(url)
        content = f.read()
        f.close()
        contstr = content.decode("utf8")
        print ("\nScraping IPs notified by: "+url+"\n")

        regex = re.compile(r"\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b")
        results = re.findall(regex, contstr)
        return results


def syslog(message, level=LEVEL['notice'], facility=FACILITY['daemon'], host='localhost', port=514):
        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        data = '<%d>%s' % (level + facility*8, message)
        
# Again Python 3.x needs to convert string to bytes for sending to syslog socket - MSJ
        sock.sendto(bytes(data + "\n","utf8"), (host, port))

def main():
        x = 0
        while x <= 4:
            op = scrape(SOURCE[x])
            for i in op:
                ip = i[0]+'.'+i[1]+'.'+i[2]+'.'+i[3]
                print ("Sending CEF for known bad IP: "+ip+" \t Provided by: "+SOURCE[x])
                cef = 'CEF:0|Alchemy Security|ArcOSI|1.1|100|Known Malicious Host|1|src='+ip+' msg='+SOURCE[x]
                time.sleep(.02)
                syslog(cef, host=dest)
            x += 1

main()
